Google has launched a new program that will pay rewards for errors found in its open source projects.
Open Source Vulnerability Bounty Program (Opens in a new tab) (OSS VRP) is the latest addition to the tech giant’s current VRPs providing funds for discoveries.
The company says the first VRP, which targeted those who helped secure Google’s code, was one of the first in the world. In its second decade of operation, Google is keen to highlight its commitment to supporting security researchers and bug hunters.
Google OSS errors
Google says VRPs cover many Chrome and Android tokens across the company’s broader operations, driving more than $38 million to more than 13,000 contributions, from a total of 84 countries.
Moreover, Google has pledged to invest $10 billion to improve cyber security among its users and consumers of open source software.
Google cites Codecov and Log4j as two of the most notable incidents that contributed to a 650% YoY increase in attacks targeting the supply chain last year.
Google Security Blog (Opens in a new tab) He says OSS VRP focuses on “all recent versions” of OSS stored in Google-owned GitHub enterprise spaces, such as GoogleAPIs and GoogleCloudPlatform, although the “first prizes” are for the most sensitive projects, which Google externally selects to be Bazel, Angular, Golang, Protocol buffers, and Fuchsia; The list is expected to expand after the initial launch of the program.
The goals of any hunters include: “weaknesses that lead to compromise in the supply chain; design issues that cause product vulnerabilities; [and] Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations. “
Rewards range from $100 to $31,337, depending on the severity of the vulnerability discovered, but no viable bugs not specifically related to that VRP will be wasted, with Google promising to redirect any results to the relevant VRP (and a bowl of cash). ).